Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host

ABSTRACT

Highly secure portable storage device includes a physical input device, a memory and a controller, all of which reside within or on the device itself. The controller may determine whether the device is in an exclusive or nonexclusive mode, whether the device is in a privileged mode, a locked mode or a protected mode, and whether a request is made to self-transform to a renewed mode. When the request is made and the device is in the nonexclusive mode, the device self-transforms to the renewed mode without requiring communication with the host and without requiring access code verification. When the request is made and the device is in the exclusive mode, the device self-transforms to the renewed mode only when a privileged security access code is verified. Transforming to a renewed mode sets all access codes to null and sets a new encryption key. Other methods and implementations are described.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of application Ser. No. 16/660,770,filed on Oct. 22, 2019, the entirety of which is incorporated herein byreference for all purposes.

TECHNICAL FIELD

The present description relates in general to computer-based storagedevices, and more particularly to, for example, without limitation, aportable storage device with an internal controller that can self-verifyaccess codes and self-convert from a current mode to a renewed modewithout communicating with a host and related methods.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide furtherunderstanding and are incorporated in and constitute a part of thisspecification, illustrate disclosed embodiments and together with thedescription serve to explain the principles of the disclosedembodiments. In the drawings:

FIG. 1 illustrates an example of architecture for a host and portablesecure storage devices.

FIG. 2 is a block diagram illustrating an example of a host and aportable secure storage device.

FIG. 3 illustrates an example of modes and operations of a portablesecure storage device.

FIG. 4 illustrates an example of operations performed by a portablesecure storage device.

FIG. 5 illustrates another example of operations performed by a portablesecure storage device.

In one or more implementations, not all of the depicted components ineach figure may be required, and one or more implementations may includeadditional components not shown in a figure. Variations in thearrangement and type of the components may be made without departingfrom the scope of the subject disclosure. Additional components,different components, or fewer components may be utilized within thescope of the subject disclosure.

DETAILED DESCRIPTION

The detailed description set forth below is intended as a description ofvarious implementations and is not intended to represent the onlyimplementations in which the subject technology may be practiced. Asthose skilled in the art would realize, the described implementationsmay be modified in various different ways, all without departing fromthe scope of the present disclosure. Accordingly, the drawings anddescription are to be regarded as illustrative in nature and notrestrictive.

In one or more advantageous implementations, a portable secure storagedevice provides a highly secure, flexible, host-free solution. Aportable secure storage device may include a physical input device(e.g., a keypad), a mass storage memory and a controller.

In one or more aspects, the portable secure storage device does notrequire any host control, software or input for its normal operation ormanagement (e.g., to lock or unlock the device, to authenticate thedevice, or to encrypt or decrypt data to or from a mass storage memory).The portable secure storage device can be self-authenticated as it usesits own input device and its own controller, all of which reside withinor on the portable secure storage device itself. The portable securestorage device does not need a host for authentication. During a normaloperational mode, the portable secure storage device, rather than ahost, receives a security access code from a user via the device's owninput device. The portable secure storage device can determine whetherthe security access code matches with an access code securely storedwithin the device, without using any input, instruction or data from ahost. Thus, the portable secure storage device itself, rather than thehost, can receive and process the security access code. The securityaccess code is maintained only within the portable secure storage deviceand is not shared with the host. As there is no host involvement in theencryption key generation/management process or the authenticationprocess, the risk of software hacking can be substantially circumvented.

Besides the normal operating mode (e.g., reading and writing data),there may be times when it is beneficial and advantageous to be able toplace the portable secure storage device into a renewed mode. In thismode, the storage device does not contain any access code that can beused for verification to unlock and operate the device in its normaloperating mode, and any data previously encrypted and stored in thedevice cannot be decrypted. Furthermore, all configuration profiles,which are not access codes, are changed to their default values. Thisrenewed mode may be useful when the access codes are forgotten ormisplaced or when it is desirable to erase all data, format and settingsso that the device can be redeployed fresh.

One implementation may permit any user (e.g., a privileged user, arestricted user, or other users) to place the device into a renewed modewithout any restriction. The disadvantage of this implementation is thatany user (even an unauthorized user) can put the device into a renewedmode. Once in a renewed mode, that user can re-configure the device anyway he or she desires. For example, if a device belongs to a company andif an unauthorized user places the device into a renewed mode, then heor she can re-configure and use the device in a manner that is againstthe company's computer security policy.

In one or more aspects, this disclosure provides new advantageousmethods that can prevent unauthorized conversion of the device into arenewed mode. The subject disclosure provides two modes: an exclusivemode and a nonexclusive mode. These modes can be set or changed when aprivileged security access code is verified. If the device is in anonexclusive mode, then the device can be converted from a current modeto a renewed mode without restrictions. If, however, the device is in anexclusive mode, and if a privileged security access code is notverified, then the device is prevented from entering into a renewed modeeven if a restricted security access code has been verified.

The subject technology addresses challenges arising in the realm ofcomputer technology by providing a solution rooted in hardware andfirmware, for example, by providing a portable secure storage devicewith an internal controller that can self-authenticate, self-determinewhether a request for conversion has been made, self-determine the modesof the device, and self-convert the device to a renewed mode only whenappropriate. Each of these operations can be carried out securely,efficiently and promptly without communicating with a host or using thehost. By enabling the portable secure storage device to performself-authentication, self-determination, and self-conversion in such amanner and not sharing the access codes, instructions or encryptionkey(s) with the host, the subject technology can greatly enhancesecurity of the portable secure storage device. On the host side, nospecial software or driver is required, thereby improving theperformance of the host by eliminating installation and executionoverhead of such extra software.

FIG. 1 illustrates an example of architecture for a host and securestorage devices suitable for practicing one or more implementations ofthe disclosure. The architecture shown in FIG. 1 is for illustrationpurposes, and other architecture implementations and methods are withinthe scope of the disclosure. The architecture 100 includes a host 120and portable secure storage devices 110 connected over a communicationbus 130.

The host 120 is operable to connect to the portable secure storagedevices 110. In some aspects of the present technology, the host 120 maybe a computer with a general-purpose operating system. In other aspectsof the present technology, the host 120 may be an embedded system.Multiple portable secure storage devices 110 can be connected to thehost 120 over a common data terminal (e.g., the communication bus 130).

The host 120 can be, for example, a desktop computer, a personalcomputer (PC), a server, a mobile computer, a tablet computer (e.g., ane-book reader), a mobile device (e.g., a smartphone or personal digitalassistant (PDA)), or any other type of devices or systems havingappropriate processor, memory, and communications capabilities forconnecting to the portable secure storage device(s) 110. The host 120may include one or more computing devices. The host 120 may include aninput device 216 and an output device 214. The host 120 may connect tothe portable secure storage devices 110 for reading and writing images,sounds, videos, and other data.

A portable secure storage device 110 can be a storage device havingappropriate processor, memory, and communications capabilities forstoring secure data, serving as a secure data back-up, and/ortransferring secure data. The secure data may be accessible by variouscomputing devices including the host 120 over the communication bus 130.A portable secure storage device may be sometimes referred to as aportable storage device, a storage device, a device, a drive, a memoryapparatus or an apparatus. For example, a portable secure storage device110 may represent a portable hard disk drive, a portable solid-statedrive, a flash memory key, an encased portable storage device, anencased portable secure storage device, a portable storage device, oranother storage device.

The communication bus 130 can include or can be a part of, for example,any one or more of a universal serial bus (USB), IEEE 1394, Thunderbolt3, Ethernet, serial advanced technology attachment (ATA), externalserial ATA (eSATA) and/or any other type of communication bus,communication interface or communication port. A communication bus maybe referred to as a communication channel, a communication medium, orvice versa. Further, the communication bus 130 can include, but is notlimited to, any one or more of the following network topologies,including a bus network, a star network, a ring network, a mesh network,a star-bus network, tree or hierarchical network, or any other suitabletype of network.

FIG. 2 is a block diagram illustrating an example of a system includinga portable secure storage device and a host. The system shown in FIG. 2is for illustration purposes, and other systems and methods are withinthe scope of the disclosure. A system 200 may include a host 120 and aportable secure storage device 110 connected over a communication bus130 via respective communications modules 218 and 238.

The communications modules 218 and 238 are configured to interface withthe communication bus 130 to send and receive information, such as data,requests, responses, and commands between the host 120 and the portablesecure storage device 110. The communications modules 218 and 238 canbe, or can be a part of, for example, serial bus connectors orinterfaces. The communications modules 218 and 238 may be referred toas, or may include, network interfaces or communication interfaces. Inone or more examples, the communications module 218 and thecommunication bus 130 may be a part of a USB. In one example, thecommunications module 238 may be a part of a USB connector, and thecommunications module 218 and the communication bus 130 may be a part ofa USB port(s), and the USB connector may be connected to the USB port.In one example, each of the communications modules 218 and 238 and thecommunication bus 130 is a wired communications module or bus. Inanother example, each of the communications modules 218 and 238 and thecommunication bus 130 may be a wireless communications module or bus. Inone or more implementations, the communications modules 218 and 238 andthe communication bus 130 may include, or be part of, a wirelessinterface(s), a wireless port(s), a wireless medium/media, and/or awireless channel(s) to allow wireless communications between a host anda portable secure storage device(s)).

The host 120 includes a processor 212 and a memory 220. The memory 220may be a read-and-write memory, a read-only memory, a volatile memory, anon-volatile memory, or a combination of some or all of the foregoing.The memory 220 of the host 120 includes an operating system 222, whichmay be a general-purpose operating system or an embedded operatingsystem. The memory 220 may also include one or more applications, suchas a configurator application (not shown), to communicate with theportable secure storage device 110. From the memory 220, the processor212 may retrieve instructions to execute and data to process in order tofacilitate some of the processes of the subject disclosure. Theprocessor 212 can be a single processor, multiple processors, or amulti-core processor in different implementations.

The portable secure storage device 110 includes a memory 232 and acontroller 258. The portable secure storage device 110 may furtherinclude a communications module 238, an input device 246, and an outputdevice 244. The input device may be referred to as a physical inputdevice, a physical key input device, or a key input device. The outputdevice may be referred to as a physical output device.

In one or more implementations, the portable secure storage device 110includes a casing (e.g., 111 as illustrated in FIG. 1) or a housing. Thecasing may be, for example, a metal-based casing (e.g., aluminum) or ahardened plastic material. The casing may be made of multiple parts. Inone or more implementations, the memory 232 and the controller 258 aredisposed within the casing.

In one aspect, the memory 232 is configured to store secure data (e.g.,encrypted data). The memory 232 may be, or may include, a read-and-writememory, a read-only memory, a volatile memory, a non-volatile memory,registers, or a combination of some or all of the foregoing. In someaspects, the memory 232 is a non-volatile memory unit that stores andretains data even when the portable secure storage device 110 is poweredoff. The memory 232 may include one or more memories. The memory 232 mayinclude a flash memory, a hard drive, a solid-state drive, or somecombination thereof. In one or more implementations, the memory 232 is amass storage device. For example, the memory 232 may store 2 gigabytes(GB) to 16 terabytes (TB) of user data or more. In one aspect, thememory 232 is the largest memory in the portable secure storage device110. The memory 232 may be communicably coupled to the controller 258via a bidirectional communication link 254. In one or moreimplementations, the link 254 is a high-speed serial advanced technologyattachment (SATA) for point-to-point connection between the memory 232and the controller 258.

The physical input device 246 enables a user to communicate informationand select commands to the portable secure storage device 110. Forexample, the physical input device 246 may receive a security accesscode from a user (e.g., a privileged user or a restricted user) tofacilitate unlocking of the portable secure storage device. The securityaccess code may also facilitate authentication of the user. The physicalinput device 246 may receive other control input to control theoperation of the portable secure storage device. For instance, thephysical input device 246 may receive a control input from a user (e.g.,generated by the user pressing a button or a sequence of buttons) toconvert a portable secure storage device 110 from a current mode to arenewed mode. In one example, when a user presses a first sequence ofbuttons (e.g., a request followed by a valid privileged security accesscode) which places the device 110 into a privileged mode, the user canpress a second sequence of buttons to request conversion of the portablesecure storage device 110 from the privileged mode to a renewed mode.

The physical input device 246 may include any acoustic, speech, visual,touch, tactile and/or sensory input device, such as a keypad, a switch,a jumper, a pointing device, a dial, a sensor device (e.g., a biometricsensor, a finger sensor, biometric iris recognition sensor), or atouchscreen. A keypad may include alphanumeric keys or buttons. Thekeypad may also include keys or buttons with symbols (e.g., a key orbutton with a lock symbol, a key or button with an unlock symbol). Inone or more implementations, the physical input device 246 is disposedon or at the casing (e.g., an outer surface of the casing) so that auser can access the physical input device. Having a physical inputdevice on the portable secure storage device itself allows a user tosecurely access the device or prevent access to the device and to placethe portable secure storage device 110 into a different mode withoutusing an external system, such as a host computer or host software. Thephysical input device 246 is configured to receive an input provided bya user. In one or more implementations, the input includes one or morekeypad entries, a switch setting, a jumper setting, a biometric-basedentry, a touch gesture entry, or a combination thereof. To preventaccidental inputs, one or more components of physical input device 246may be recessed or hidden under a cover.

The physical output device 244 may be disposed on or at the outersurface of the casing and configured to display an indication of theoperation or status of the portable secure storage device 110. Suchindication may be controlled by the controller 258. The output device244 may enable, for example, the display or output of visual or audiblesignaling by the controller 258. The indication may include a signalindicating, for example, whether the portable secure storage device 110is in an exclusive mode, a nonexclusive mode, a renewed mode, anoperating mode, a privileged mode, a locked mode, an unlocked mode, aprotected mode or another mode, and/or indicating a connection state tothe host 120 or an operational state of the device 110. The outputdevice 244 may include any visual, auditory, tactile, and/or sensoryoutput device to allow a user to detect an indication of the operationof the portable secure storage device 110. For example, the outputdevice 244 may include one or more multicolored light emitting diodes(LEDs) or LEDs with color tinted light guides. One or moreimplementations may include a device(s) that functions as both an inputand output device, such as a touchscreen. An input device 246 may be aportion of an input and output device. An output device 244 may be aportion of an input and output device.

The communications module 238 of the portable secure storage device 110is configured to connect the portable secure storage device 110 to thecommunication bus 130 external to the casing. The communications module238 may include, or may be a part of a USB (e.g., USB-A, USB-B, USB-C,mini-USB, micro-USB or USB 3). These are examples, and thecommunications module 238 is not limited to these examples. Thecommunications module 238 may be, for example, disposed partially withinthe casing and partially outside the portable secure storage device 110.In one or more examples, the communications module 238 is coupled to andprotrudes from the casing.

In one or more implementations, the portable secure storage device 110includes a battery(ies) (not shown) that may power the portable securestorage device 110 or a portion(s) thereof. In one example, thebattery(ies) may power the controller 258 (or a portion(s) thereof), thephysical input device 246, and/or the physical output device 244. Thebattery(ies) may be rechargeable, for example, by using bus or linepower. In another implementation, the portable secure storage device 110does not include a battery.

Still referring to FIG. 2, in one or more implementations, a controller258 is coupled to the memory 232, the physical input device 246, thephysical output device 244, and the communications module 238. Thecontroller 258 may provide instructions to prevent or allow datatransfer between the portable secure storage device 110 and an externalsystem (e.g., the host 120).

In one example, a controller 258 is a single controller. In anotherexample, a controller 258 includes multiple controllers (e.g., twocontrollers or more than two controllers). A controller may be sometimesreferred to as a microcontroller, a multi-core controller, a controllermodule, a processor, a processor module, a microprocessor, amicroprocessor module, or a portion(s) thereof or vice versa. Acontroller(s) within a controller 258 may be sometimes referred to as amicrocontroller(s). A microcontroller may include one or moremicrocontrollers. When a controller 258 has multiple microcontrollers,each microcontroller may perform different functions, and amicrocontroller may be implemented with a different level of securityprotection (e.g., a high, medium, or low security level). Such securitylevel may be implemented in hardware, firmware, or a combinationthereof.

A controller 258 may be a single integrated circuit (IC) chip (or asingle die) or may include multiple IC chips. Multiple controllerswithin the controller 258 may be on a single chip. Multiple controllerswithin the controller 258 may be on separate chips.

In one or more implementations, a controller 258 is not a generalpurpose processing device. In one or more implementations, a controller258 includes one or more application-specific digital signal processorsor one or more application-specific integrated circuits. In one or moreimplementations, a controller 258 may include discrete hardwarecomponents or other suitable components that can perform the functionsdescribed herein. In one or more examples, a controller 258 (or one ormore microcontrollers therein) is implemented in hardware and embeddedfirmware (without high-level software applications).

Microcontrollers within the controller 258 may be coupled, directly orindirectly, to each other, using communication links. A communicationlink may be a serial peripheral interface (SPI) bus for synchronouscommunication between the microcontrollers. A communication link may bea bidirectional communication link. A communication link may be aninter-integrated circuit (I²C) bus, where one microcontroller isimplemented as a master node and another microcontroller is implementedas a slave node, in some examples. Other communication links mayinclude, without limitation, a universal asynchronousreceiver-transmitter (UART) interface, a general-purpose input/output(GPIO) interface, a peripheral component interconnect express (PCIe)interface, various SATA interfaces, an embedded multimedia controller(eMMC) interface, or a universal flash storage (UFS) interface. Theseare examples, and a communication link is not limited to these examples.

In one or more implementations, a controller 258 includes a local memory240. The local memory 240 may be a read-and-write memory, a read-onlymemory, EEPROM, registers, a volatile memory, a non-volatile memory, ora combination of some or all of the foregoing. A local memory 240 may bea single memory or multiple memories. A memory may include one or morememories. When a controller 258 includes multiple microcontrollers andmultiple memories, each microcontroller may have its associated localmemory(ies). Such local memory(ies) may reside within its correspondingmicrocontroller. Such local memory(ies) may reside outside itscorresponding microcontroller. A memory may be implemented with adifferent level of security protection. The security level may beimplemented in hardware, firmware, or a combination thereof.

The local memory 240 or a memory(ies) therein may be configured to storefirmware. The local memory 240 or a memory(ies) therein may beconfigured to store instructions and/or data, including parameters,flags, and/or information to control the operations of the controller258 or the device 110. The local memory 240 or a memory(ies) therein maystore instructions/data that the controller 258, a microcontroller(s)therein, and/or another component(s) may need at runtime. From the localmemory 240 (or a memory(ies) therein), the controller 258, amicrocontroller(s) within the controller 258, and/or anothercomponent(s) may retrieve instructions to execute and data to process inorder to execute the processes of the subject disclosure.

In one or more implementations, all instructions/data (e.g.,configuration profiles, other data, indications, keys, instructions,parameters, flags and information) stored in the portable secure storagedevice 110 (e.g., 240) is encrypted or securely stored. In one or moreother implementations, some instructions/data (e.g., a portion or someof configuration profiles, other data, indications, keys, instructions,parameters, flags and/or information) stored in the portable securestorage device 110 (e.g., 240) is encrypted or securely stored. In oneor more yet other implementations, some instructions/data (e.g.,configuration profiles, other data, indications, keys, instructions,parameters, flags and/or information) stored in the portable securestorage device 110 (e.g., 240) is not encrypted. In one or moreimplementations, the user data stored in the memory 232 is encrypted orsecurely stored.

The controller 258 may provide instructions to prevent or allow datatransfer between the portable secure storage device 110 and an externalsystem (e.g., the host 120). The controller 258 may prevent the host 120from accessing and configuring the portable secure storage device 110when the secure storage device 110 is not in a configuration-ready mode.

In one or more implementations, configuration profiles of a portablesecure storage device are settable or changeable by a privileged user.For example, a privileged user may change configuration profiles such assecurity information (e.g., access codes) or other configurationsettings (e.g., auto-lock, lock-override, or other settings) associatedwith configuration of the portable secure storage device. This changecan be made by the portable secure storage device, for example, using aphysical input device (e.g., 246) and a controller (e.g., 258) of theportable secure storage device. In an alternative example, this changeto the portable secure storage device may be made when the portablesecure storage device is in a configuration-ready mode. Furthermore, theconfiguration profiles of the portable secure storage device may bechanged by a configurator application of a host when a portable securestorage device is in a configuration-ready mode. The configuratorapplication can also set or change a mode of the portable secure storagedevice (e.g., to a locked mode or to a privileged mode). In one aspect,when a portable secure storage device is in a configuration-ready mode,the device may be permitted to be recognized by a host when the deviceis connected to or plugged into the host.

FIG. 3 illustrates an example of modes and operations of a portablesecure storage device, such as a device 110 (e.g., a controller 258).The operations shown in FIG. 3 are for illustration purposes, and otheroperations are within the scope of the disclosure. Below descriptionsare provided with reference to FIGS. 1, 2 and 3.

The example in FIG. 3 illustrates various modes of a portable securestorage device 110, including a nonexclusive mode 310A, an exclusivemode 310B, a privileged mode 320, a locked mode 330A, 330B, a protectedmode 340A, 340B, a renewed mode 360, and an end-of-life mode 350. Adevice 110, however, is not limited to these modes, and the operationsof the device 110 are not limited to the paths shown in FIG. 3.

Privileged Mode

In one example, a controller 258 may set a mode of a portable securestorage device 110 to a privileged mode (e.g., 320). This may occur, forexample, (a) when a request is made to place the device 110 into theprivileged mode (e.g., by a privileged user pressing one or morepredetermined buttons for such a request on a keypad at an input device246), and (b) when a privileged security access code (e.g., entered by aprivileged user via an input device 246) is verified against aprivileged access code stored in the portable secure storage device 110(e.g., stored in the controller 258 or the memory 240).

For example, a device 110 may enter a privileged mode when a controller258 receives a request, which is followed by receipt and verification ofa correct privileged security access code. The request may be made, forexample, by a privileged user pressing an unlock-symbol button, followedby a number-2 button on a keypad, at an input device 246. In one aspect,the controller 258 may self-convert the device 110 to a privileged modewithout communicating with a host (e.g., 120). In one aspect, aself-conversion may occur without receiving or sending any input,instruction, command or data from or to the host. In one aspect, aself-conversion may occur while the device 110 is connected to the host.In one aspect, a self-conversion may occur while the host provides powerto the device 110. In one aspect, a self-conversion may occur while thedevice 110 is disconnected from the host.

In a privileged mode, the device 110 can be converted from an exclusivemode 310B to a nonexclusive mode 310A and vice versa. In a privilegedmode, the device 110 is convertible between the exclusive mode and thenonexclusive mode. In one aspect, when the device 110 is not in theprivileged mode, the device 110 is prevented from converting between theexclusive mode and the nonexclusive mode. In a privileged mode, thestored privileged access code may be changed to a new valid privilegedaccess code. For example, the controller 258 may accept a new privilegedsecurity access code (e.g., received at the input device 246) and storethe new privileged security access code as the new valid privilegedaccess code. In a privileged mode, some or all access codes (e.g., aprivileged access code, a restricted access code, a recovery accesscode, a concealed access code, and/or a combination thereof) may benewly set or may be changed. In a privileged mode, all otherconfiguration profiles of the device 110 that are changeable by acontroller 258 (e.g., settings for auto-lock, lock-override, read-only,a minimum length of an access code, and implementing orenabling/disabling various other modes/features) may be set or changed.

A portable secure storage device may be in a privileged mode while it isin a nonexclusive mode or an exclusive mode. A device 110 may enter aprivileged mode (a) from a locked mode (e.g., 330A) via a path 324Awhile the device 110 is in a nonexclusive mode or (b) from a locked mode(e.g., 330B) via a path 324B while the device 110 is in an exclusivemode. A device 110 may enter a privileged mode from a renewed mode(e.g., 360). In one aspect, when a device 110 is in a privileged mode,the device is not recognizable by a host (e.g., 120) even if the deviceis connected to or plugged into the host. In one aspect, when a device110 is in a privileged mode, the device is not recognizable by the hosteven if the device is powered by the host.

Locked Mode

In one example, a controller 258 may lock a portable secure storagedevice 110 so that the device 110 is in a locked mode (e.g., 330A,330B). A device 110 may enter into a locked mode when one or more of thefollowing occur:

-   -   the input device (e.g., 246) receives a request to lock the        portable secure storage device. For example, a request can be        made while in a privileged mode (see, e.g., path 322A or 322B)        when a device is in a nonexclusive mode or in an exclusive mode.        In addition or alternatively, a request can be made while a        device 110 is in another mode (e.g., an operating mode such as a        reading or writing mode) (not shown in FIG. 3). If the request        is made while the device 110 is in an operating mode, then the        device 110 converts to a locked mode after the device finishes        its operation (e.g., reading or writing);    -   power from a host (e.g., 120) to the portable secure storage        device (e.g., 110) is interrupted;    -   the portable secure storage device is disconnected or unplugged        from the host;    -   the portable secure storage device is electrically disengaged        from the host, e.g., in response to a request;    -   the portable secure storage device idles for a period of time;        or    -   the portable secure storage device is not connected to or not        plugged into the host within a period of time after a security        access code received at the input device is verified.

A portable secure storage device may be in a locked mode (e.g., 330A)while it is in a nonexclusive mode, or in a locked mode (e.g., 330B)while it is in an exclusive mode. In one aspect, when a portable securestorage device (e.g., 110) is in a locked mode, the portable securestorage device is not recognizable by a host (e.g., 120) even if theportable secure storage device is connected to or plugged into the host.In one aspect, when a device 110 is in a locked mode, the device is notrecognizable by the host even if the device is powered by the host.

In one aspect, a conversion into a locked mode may occur withoutreceiving or sending any input, instruction, command or data from or tothe host. In one aspect, a conversion into a locked mode may occur whilethe device 110 is connected to the host. In one aspect, a conversioninto a locked mode may occur while the host provides power to the device110. In one aspect, a conversion into a locked mode may occur while thedevice 110 is disconnected from the host.

Protected Mode

In one example, a controller 258 may set a mode of a portable securestorage device 110 to a protected mode (e.g., 340A, 340B). In oneaspect, the controller 258 may self-convert the device 110 to aprotected mode without communicating with a host (e.g., 120). In oneaspect, a self-conversion may occur without receiving or sending anyinput, instruction, command or data from or to the host. In one aspect,a self-conversion may occur while the device 110 is connected to thehost. In one aspect, a self-conversion may occur while the host providespower to the device 110. In one aspect, a self-conversion may occurwhile the device 110 is disconnected from the host.

A controller 258 may set a mode to a protected mode when the number ofunsuccessful security access codes (e.g., incorrect privileged securityaccess codes or incorrect restricted security access codes) entered(e.g., into the input device) exceeds a threshold number.

When a controller 258 enables a protected mode (e.g., while the device110 is in a privileged mode prior to entering into a protected mode), acontroller 258 may store at least two representations (e.g., twodifferent hash values) of a privileged access code at differentlocations of the controller 258 (e.g., different locations in a memory240). For example, one representation may be stored at an EEPROM address0x333, and another representation may be stored at an EEPROM address0x555.

In one example, when the device 110 enters into a protected mode, thecontroller 258 may set all access codes stored in the device 110, exceptone access code (e.g., one of the at least two representations), tonullified access codes. In this regard, the one access code, which isnot nullified (e.g., one of the at least two representations) may beusable to verify a privileged security access code to be received (e.g.,received at the input device 246). In one aspect, further descriptionsabout nullified access codes are provided later with reference to arenewed mode.

In one example, when the device 110 enters into a protected mode, acontroller 258 may set an encryption key of the device 110 (e.g., anencryption key existing prior to entering into the protected mode) to anew encryption key. In this regard, prior to entering into the protectedmode, the device 110 may have encrypted data using the encryption keyand may have stored the encrypted data in a memory (e.g., 232). In thisexample, after entering into the protected mode (and thereafter), suchencrypted data cannot be decrypted any longer with the encryption key asit is replaced by the new encryption key when the device enters into theprotected mode. In one aspect, the new encryption key is unusable todecrypt the encrypted data that has been stored in the memory (e.g.,232) prior to the device 110 entering into the protected mode. In oneaspect, the new encryption key is unusable to decrypt the encrypted datathat has been stored in the memory (e.g., 232) prior to the newencryption key is created or is set into the device 110.

In one example, when the device 110 enters into a protect mode, thecontroller 258 may set all configuration profiles of the device 110,excluding the nullified access codes, to predetermined values (e.g.,default values).

A device 110 may enter into a protected mode (e.g., 340A) while thedevice 110 is in a nonexclusive mode. For example, a protected mode(e.g., 340A) is entered from a locked mode (e.g., 330A). A device 110may enter into a protected mode (e.g., 340B) while the device 110 is inan exclusive mode. For example, a protected mode (e.g., 340B) is enteredfrom a locked mode (e.g., 330B). In one aspect, when a device 110 is ina protected mode, the device is not recognizable by a host (e.g., 120)even if the device is connected to or plugged into the host. In oneaspect, when a device 110 is in a protected mode, the device is notrecognizable by the host even if the host provides power to the device.

End-of-Life Mode

In one example, a controller 258 may set a mode of a device 110 to anend-of-life mode (e.g., 350). In one aspect, the controller 258 mayself-convert the device 110 to an end-of-life mode without communicatingwith a host (e.g., 120). When a device is in an exclusive mode, acontroller 258 may change a protected mode (e.g., 340B) to anend-of-life mode (e.g., 350), when the number of unsuccessful privilegedsecurity access codes entered (e.g., via an input device 246) exceeds athreshold attempt number. When a device 110 enters an end-of-life mode,the device 110 is permanently disabled and cannot be redeployed againfor use, and the device 110 is not revivable. Even if the device 110 ispowered on or plugged into a host 120, the device 110 (e.g., controller258) does not respond to any input entered at the device 110 or at thehost 120. Any data stored in the device 110 is not recoverable. A device110 that is in an end-of-life mode cannot change its mode to anothermode.

In an end-of-life mode, the device 110 may contain (a) all nullifiedaccess codes, (b) a new encryption key, and (c) predetermined values forall configuration profiles (excluding the access codes). An end-of-lifemode may be followed by a protected mode, which already has (a) allnullified access codes (except for one access code or one representationthereof), (b) a new encryption key, and (c) predetermined values for allconfiguration profiles (excluding the access codes). In this case,converting into an end-of-life mode may be carried out by nullifying theone access code or the one representation thereof (e.g., by thecontroller 258). However, in another aspect, converting into anend-of-life mode may be carried out by (a) setting all access codes intonullified access codes, (b) generating another new encryption key, and(c) setting all configuration profiles (excluding the access codes) topredetermined values.

In one aspect, when a device 110 is in an end-of-life mode, the deviceis not recognizable by a host (e.g., 120) even if the device isconnected to or plugged into the host. In one aspect, when a device 110is in an end-of-life mode, the device is not recognizable by the hosteven if the device is powered by the host.

Renewed Mode

In one example, a controller 258 may set a mode of a portable securestorage device 110 to a renewed mode (e.g., 360). In one aspect, thecontroller 258 may self-convert the device 110 to a renewed mode withoutcommunicating with a host (e.g., 120). In one aspect, a self-conversionmay occur without receiving or sending any input, instruction, commandor data from or to the host. In one aspect, a self-conversion may occurwhile the device 110 is connected to the host. In one aspect, aself-conversion may occur while the host provides power to the device110. In one aspect, a self-conversion may occur while the device 110 isdisconnected from the host.

In one aspect, in a renewed mode, a privileged access code stored in thecontroller 258 (e.g., 240) may be a nullified privileged access code. Anullified privileged access code is unusable to verify any privilegedsecurity access code or any security access code received (e.g.,received at the input device 246) while the portable secure storagedevice contains the nullified privileged access code.

In one aspect, in a renewed mode, all access codes stored in theportable secure storage device (e.g., stored in the controller 258 orthe memory 240) are nullified access codes. In one aspect, at least aportion of each of the nullified access codes is not representable byany input enterable at an input device (e.g., 246). For example, if theinput device 246 is a keypad having only alphanumeric keys, at least aportion of a nullified access code may represent one or more characters,symbols or other items that are not alphanumeric; hence, no securityaccess code entered via the alphanumeric keypad can match any nullifiedaccess code in the controller 258 (e.g., the memory 240).

In one aspect, none of the nullified access codes is usable to verifyany security access code received (e.g., received at the input device246) while the portable secure storage device contains the nullifiedaccess codes and does not contain any valid access code. In one aspect,none of the nullified access codes contains all zeros. In one aspect,nullified access codes are not entered by a user. In one aspect, none ofthe nullified access codes is a predetermined value. In one aspect,nullified access codes are not usable to unlock a storage device afterthe storage device is locked. In one aspect, a nullified access code(e.g., a privileged access code or a restricted access code) is notusable to facilitate unlocking the storage device after the storagedevice is locked. In one aspect, nullified access codes are not usableto operate the storage device during a normal operation (e.g., for anoperating mode). A nullified recovery access code is not usable tolaunch a user-forced enrollment or to create a new recovery access code.In one aspect, all or a portion of a nullified access code is notenterable via an input device (e.g., 246).

In one aspect, all access codes include all of any privileged accesscode, any restricted access code, any recovery access code, and anyconcealed access code stored in the device 110 (e.g., stored in thecontroller 258 or the memory 240). In one aspect, an access code or avalid access code is a code stored in the device 110 (e.g., stored inthe controller 258 or the memory 240) that can be used to verify asecurity access code entered (e.g., at an input device 246) tofacilitate unlocking the device 110 (e.g., for reading or writing data),to facilitate placing the device 110 into a privileged mode, or tofacilitate placing the device 110 into a mode in which configurationprofiles of the device 110 may be set or changed.

In one aspect, in a renewed mode, the device 110 (e.g., the controller258 or the memory 240) contains a new encryption key that is unusablefor decrypting data that has been encrypted and stored in the memory(e.g., 232) before the new encryption key is created or is set into thedevice 110. For example, data may have been encrypted using anencryption key and stored in the memory (e.g., 232) prior to the device110 being in the renewed mode. When the device 110 is in the renewedmode, the device 110 (e.g., the controller 258 or the memory 240)contains a new encryption key that is unusable for decrypting the datastored in the memory before the new encryption key is set into thedevice 110 (e.g., the controller 258 or the memory 240). In one aspect,the new encryption key is unusable for decrypting the data stored in thememory prior to the device 110 being in the renewed mode. In one aspect,the new encryption key is different from the encryption key (that hasexisted before the new encryption key is created). In one aspect, thenew encryption is not entered by a user and is not provided by a host.

In one aspect, in a renewed mode, all configuration profiles of thedevice 110, excluding the access codes, are predetermined values (e.g.,default values). In one aspect, predetermined values of theconfiguration profiles are not entered by a user.

In one example, converting the device 110 to a renewed mode may includesetting the stored privileged access code to a nullified privilegedaccess code, by a controller 258. The controller 258 may also set anystored restricted access code(s) into nullified restricted accesscode(s). If the device 110 contains any recovery access code(s) and anyconcealed access code(s), the controller 258 may also set any suchstored recovery access code(s) and concealed access code(s) intonullified recovery access code(s) and nullified concealed accesscode(s).

The nullified access codes may include nullified privileged accesscode(s) and nullified restricted access code(s). The nullified accesscodes may also include nullified recovery access code(s) and nullifiedconcealed access code(s).

In one example, converting the device 110 to a renewed mode may includesetting, by a controller 258, an existing encryption key to a newencryption key. The new encryption key is unusable for decrypting datathat has been encrypted and stored in the memory (e.g., 232) before thenew encryption key is set into the device 110. In one example, for thedevice 110 to enter into a renewed mode, a controller 258 may set anexisting encryption key to a new encryption key that is unusable fordecrypting data that has been encrypted and stored in the memory (e.g.,232) prior to the device 110 being in the renewed mode.

In one example, converting the device 110 to a renewed mode may includesetting, by a controller 258, all configuration profiles of the device110, excluding the nullified access codes, to predetermined values(e.g., default values).

In one example, the controller 258 self-determines the current mode ofthe device 110.

In one aspect, if the current mode is a protected mode (e.g., 340A in anonexclusive mode or 340B in an exclusive mode), then the device 110 (orthe controller 258 or the memory 240) may already have (a) all nullifiedaccess codes (except for one access code or one representation thereof),(b) a new encryption key, and (c) predetermined values for allconfiguration profiles (excluding the access codes). In this case,converting into a renewed mode may be carried out simply by nullifyingthe one access code or the one representation thereof (e.g., by thecontroller 258). However, in another aspect, converting into a renewedmode may be carried out by performing all conversion activities,including (a) setting all access codes into nullified access codes, (b)generating another new encryption key, and (c) setting all configurationprofiles (excluding the access codes) to predetermined values. Theseconversion activities may be carried out concurrently or sequentially(e.g., from (a) to (c), or in another order).

In one aspect, while a device 110 is in a nonexclusive mode (e.g.,310A), when a request is made to convert the device 110 from a currentmode (e.g., a locked mode 330A, a protected mode 340A, or a privilegedmode 320) to a renewed mode, a controller 258 may self-convert thedevice 110 from the current mode to the renewed mode. Thisself-conversion may occur (a) without the device 110 communicating witha host (e.g., 120), (b) without requiring the device 110 (or thecontroller 258) to make a determination of whether a privileged securityaccess code is verified (against a privileged access code stored in thememory 240), and (c) without requiring the device 110 (or the controller258) to make a determination of whether a restricted security accesscode is verified (against a restricted access code stored in the memory240).

In one aspect, while a device 110 is in an exclusive mode (e.g., 310B),when a request is made to convert the device 110 from a current mode(e.g., a protected mode 340B, or a privileged mode 320) to a renewedmode, a controller 258 may self-convert the device 110 from the currentmode to the renewed mode, only when a privileged security access codereceived (e.g., at an input device 246) has been verified or is verified(e.g., against the stored privileged access code). This self-conversionmay occur without the device 110 communicating with a host (e.g., 120).

If a controller 258 determines that the current mode is a privilegedmode (e.g., 320), then the verification of the privileged securityaccess code has already occurred before the device entered theprivileged mode (prior to the request being made to convert the device110 to a renewed mode). Hence, a re-verification of the privilegedsecurity access code is not necessary. However, in one aspect, acontroller 258 may verify the privileged security access code againafter the request is made and before converting the device 110 into therenewed mode.

Consequently, in one aspect, if the current mode is a privileged mode,the controller 258 may verify the privileged security access code beforethe controller determines that the request (i.e., a request to convertthe device to a renewed mode) is made, as such verification would haveoccurred prior to entering into the privileged mode. In another aspect,if the current mode is a privileged mode, the controller 258 mayre-verify the privileged security access code after the controllerdetermines that the request (i.e., a request to convert the device to arenewed mode) is made.

In one aspect, if the current mode is a protected mode 340B, then acontroller 258 may verify the privileged security access code, afterdetermining that the conversion request (i.e., a request to convert thedevice to a renewed mode) is made, but before converting the device 110into the renewed mode.

In one example, a request (e.g., a request to convert the device 110into a renewed mode) may be made by pressing one or more predeterminedbuttons at a keypad (e.g., at the input device) associated with therequest. Depending on the current mode and depending on whether thedevice 110 is in a nonexclusive mode or an exclusive mode, such one ormore predetermined buttons may be the same or different. For example,when the current mode is a locked mode 330A (in a nonexclusive mode), aprotected mode 340A (in a nonexclusive mode), or a privileged mode 320(for both nonexclusive and exclusive modes), such buttons may include alock-symbol button, followed by an unlock-symbol button, followed by anumber-2 button. In another example, when the current mode is aprotected mode 340B (in an exclusive mode), such buttons may include anunlock-symbol button, followed by a number-0 button.

In one aspect, if the current mode is a protected mode 340B, then aprivileged user may make a request to transform the device 110 to arenewed mode (e.g., by pressing one or more predetermined buttons) andthen enter a correct privileged security access code (e.g., within apredetermined number of attempts). When the number of unsuccessfulprivileged security access codes entered (e.g., into the input device)exceeds a threshold number, the device 110 may enter into theend-of-life mode 350 instead of a renewed mode 360. For example, acontroller 258 may first determine whether a request to convert thedevice 110 to a renewed mode is made. If so, the controller 258 maydetermine whether the privileged security access code entered matchesthe stored privileged access code. When it matches, the controller 258may place the device 110 into the renewed mode.

In one aspect, when a controller 258 determines that a request is madeto convert the device 110 from a current mode to a renewed mode whilethe device is in an exclusive mode (e.g., 310B), the controller 258 mayself-convert the device 110 from the current mode to the renewed modeonly when the privileged security access code has been verified or isverified. As discussed above, the verification may occur prior todetermining that the request is made or after determining that therequest is made.

In one aspect, when a device 110 is in a renewed mode, the device is notrecognizable by a host (e.g., 120) even if the device is connected to orplugged into the host. In one aspect, when a device 110 is in a renewedmode, the device is not recognizable by the host even if the hostprovides power to the device.

As illustrated in FIG. 3, a device 110 may convert from a privilegedmode (e.g., 320) to a locked mode (e.g., 330A, 330B) via its respectivepath (e.g., 322A, 322B). A device 110 may convert from a locked mode(e.g., 330A, 330B) to a protected mode (e.g., 340A, 340B) via itsrespective path (e.g., 332A, 332B). A device 110 may convert from aprotected mode (e.g., 340B) to an end-of-life mode (e.g., 350) via itspath (e.g., 344). A device 110 may convert to a renewed mode (e.g., 360)from a privileged mode (e.g., 320), a locked mode (e.g., 330A), aprotected mode (e.g., 340A) or a protected mode (e.g., 340B) via itsrespective path (e.g., 326, 334A, 342A, 342B). A device 110 may convertto a privileged mode (e.g., 320) from a locked mode (e.g., 330A, 330B)or a renewed mode (e.g., 360) via its respective path (e.g., 324A, 324B,328).

A device 110 may convert from a locked mode 330A to a renewed mode 360via a path 334A, or via paths 332A and 342A. These conversions can beperformed without entering or verifying a privileged security accesscode. In this regard, none of the paths 334A, 332A and 342A requires aprivileged security access code to be entered (e.g., at an input device246) and verified against a privileged access code stored (e.g., in amemory 240).

A device 110 may convert from a locked mode 330A to a renewed mode 360via paths 324A and 326. This conversion requires a privileged securityaccess code be entered and verified, for example, against a privilegedaccess code stored internally, e.g., in a memory 240. In this regard,the path 324A requires an entry and verification of a privilegedsecurity access code.

A device 110 may convert from a locked mode 330B to a renewed mode 360via paths 332B and 342B, or via paths 324B and 326. These conversionsrequire a privileged security access code be entered and verified, forexample, against a privileged access code stored internally, e.g., in amemory 240. In this regard, each of the paths 324B and 342B requires anentry and verification of a privileged security access code.

In one or more aspects, the particular modes and paths shown in FIG. 3,including the modes and paths for entering into a renewed mode andexiting from a renewed mode provide technical advantages as they mayeliminate or minimize conflicts among the modes or operations of thedevice 110 and allow the device 110 to communicate and operate properly.Furthermore, in one or more aspects, the technical advantages includereducing a probability that the device 110 could become unstable, whichmay result in damaging the device permanently. In one or more aspects,making a conversion to a renewed mode from an operating mode (e.g., anunlocked mode for reading or writing) is less desirable as suchconversion could potentially commence in the middle of an operation suchas reading or writing data to a memory 232 and thus could damage thedevice permanently.

Other Modes and Features

In addition to the modes described above, a device 110 may operate invarious other modes or implement, enable or disable other modes orfeatures.

A device 110 may be implemented with a read only mode. When enabled(e.g., in a privileged mode), data stored in the memory (e.g., 232)cannot be modified.

A device 110 may be implemented with a lock-override mode or feature.When enabled (e.g., in a privileged mode), the device 110 may stayunlocked during a USB re-enumeration procedure. The lock override may beenabled during a reboot sequence, and using the device 110 as a bootdrive. The device 110 may remain unlocked in the lock override state aslong as the device 110 remains connected (or plugged) into a USB port ofa host. When a USB connection is lost (e.g., the device 110 is unpluggedform the USB port), the secure storage device 110 may become locked.

If a device 110 is implemented with a device format feature, then afterthe device 110 is placed into a renewed mode, the device may be unlockedand reformatted (e.g., reformat the memory 232) so that data files canbe written into the memory 232.

A device 110 may be implemented with a concealed mode. In one aspect,when a concealed mode is enabled, an exclusive mode is disabled. Hence,only a nonexclusive mode is permitted when a concealed mode is enabled.In one aspect, when a concealed mode is disabled, the device 110 may usean exclusive mode or a nonexclusive mode. A controller 258 may beconfigured to determine whether an exclusive mode is enabled if a userattempts to enable a concealed mode, and the controller may provide anotification of conflict to an output device 244.

When the device 110 is in the nonexclusive mode, when the concealed modeis enabled, and when a concealed security access code inputted at aninput device (e.g., 246) is verified (e.g., against a concealed accesscode stored in the device 110), the controller 258 is configured to setan encryption key in the device 110 into a new encryption key. The newencryption key is unusable for decrypting data encrypted and stored inthe memory (e.g., 232) before the new encryption key is set into thedevice 110 (e.g., 240). If the device 110 thereafter enters into aprotected mode or a renewed mode, a controller 258 may retain the newencryption key or may generate yet another new encryption key. Suchanother new encryption key is unusable for decrypting data encrypted andstored in the memory (e.g., 232) before such another new encryption keyis created or is set into the device 110.

When the device 110 is in the nonexclusive mode, when the concealed modeis enabled, and when a concealed security access code inputted at aninput device (e.g., 246) is verified, the controller 258 is configuredto store the concealed security access code into the device 110 (e.g.,the controller 258 or the memory 240) as a new privileged access code.This new privileged access code is valid and is not null. The newprivileged access code becomes usable to verify another privilegedsecurity access code that may be entered after the new privileged accesscode is stored.

As described above, when a concealed mode is enabled, a user can input aconcealed security access code into the device 110. This concealedsecurity access code replaces the existing privileged access code storedin the device 110. Thus, this concealed security access code becomes anew privileged access code, which is then stored in the device 110(e.g., a memory 240). Consequently, in one or more aspects, a concealedmode could be used to defeat the purpose of having an exclusive modebecause a user who has a concealed security access code could bypass thesecurity measures of an exclusive mode (as the user could store his/herconcealed security access code as a new privileged access code) andplace a device 110 into a renewed mode. As such, in one or more aspects,when a device 110 is in an exclusive mode, disabling a concealed modeprovides a technical advantage that can prevent unauthorized conversionof the device into a renewed mode.

A device 110 may be implemented with an auto-lock mode or feature. Whenenabled (e.g., in a privileged mode), a controller 258 can set apredefined period of time of inactivity that causes the device 110 tolock. The device 110, however, does not lock when data is being writteninto the memory 232.

A device 110 may be implemented with a capability to switch the device110 from a fixed disk to a removable disk and vice versa.

A device 110 may be implemented to permit a user-forced enrollment mode.In this mode, the device 110 may already have a privileged access codestored and require a restricted user to set up a new restricted accesscode to access the device 110. When the user-forced enrollment isactivated, the output device 244 may provide one or more visualindications indicating that a new restricted access code needs to beprogrammed to gain access to the device 110.

A device 110 may enter into an operating mode (e.g., reading or writingdata into a memory 232). When (a) a request is made to enter into anoperating mode (e.g., an unlocked mode for reading or writing), (b) aprivileged security access code or a restricted security access code isverified, and (c) the device 110 is connected to a host (e.g., 120), thedevice 110 (e.g., a controller 258) may perform an enumeration processwith the host. For example, a controller 258 may transmit enumerationinformation of the device 110 via a communications module 238 and acommunication bus 130. In one aspect, after the enumeration process iscompleted, the host 120 and the device 110 may be ready to exchange data(e.g., user data). In an operating mode, the controller 258 may (a)encrypt data received from the host 120 and write the encrypted data toa memory 232 and (b) decrypt data read from the memory 232 and providethe decrypted data to the host 120.

Access Codes

A device 110 (or the controller 258 or the memory 240) may store one ormore access codes. When a security access code received (e.g., via aninput device 246) is verified against a stored access code, a controller258 may permit access to the device 110.

One type of access code may be a privileged access code. When aprivileged security access code received (e.g., received at an inputdevice 246) is verified against a stored privileged access code, thedevice 110 may be placed into a mode such as a privileged mode or anoperating mode. In a privileged mode, a controller 258 may be permittedto set or change the configuration profiles of the device 110, forexample, implementing, enabling or disabling various modes or featuresdescribed herein or changing the stored access codes.

Another type of access code is a restricted security access code. When arestricted security access code received (e.g., received at an inputdevice 246) is verified against a stored restricted access code, thedevice 110 may be placed into a mode such as an operating mode. Averified restricted security access code does not place the device 110into a privileged mode. Thus, a verified restricted security access codehas a less number of privileges than a verified privileged securityaccess code.

Another type of access code may be a recovery access code. A device 110may permit a recovery security access code to be received (e.g., at aninput device 246) and stored as a recovery access code in the device 110(e.g., 240). There may be multiple recovery access codes. After storingthe recovery access code, when a next recovery security access code isreceived and verified against the stored recovery access code, acontroller 258 may launch a user-forced enrollment. The recoverysecurity access code is not an actual access code that is used to unlockthe device 110 for an operating mode, but rather is used to place thedevice 110 into a state of user-forced enrollment where a new restrictedaccess code may be created and stored. In another aspect, a recoveryaccess code may be used to create and store a new privileged accesscode. Thus, a recovery access code is useful when a restricted accesscode and/or a privileged access code are forgotten, and it is necessaryto be able to access any data stored in the memory (e.g., 232).

For example, after a recovery security access code received is verifiedagainst a stored recovery access code, a controller 258 permits a newrestricted security access code to be received (e.g., via an inputdevice 246) and stores the new restricted security access code as a newrestricted access code. In another example, after a recovery securityaccess code entered is verified against a stored recovery access code, acontroller 258 permits a new privileged security access code to bereceived (e.g., via an input device 246) and stores the new privilegedsecurity access code as a new privileged access code.

Yet another type of access code may be a concealed access code. When aconcealed mode is enabled, a concealed security access code received atan input device may be verified against a concealed access code storedin the device 110. After the verification, the verified concealedsecurity access code or the stored concealed access code may be storedas a new privileged access code.

Converting a device 110 into a renewed mode may nullify all existingaccess codes stored in the device 110. Prior to entering into a renewedmode, if some access codes are already nullified, then a controller 258may retain such nullified access codes and nullify only the other accesscodes. Alternatively, entering into a renewed mode may cause all accesscodes (whether already nullified or not) to be nullified.

A device 110 may enter into or exit from the various modes using one ormore methods described herein. These methods are provided forillustration purposes, and other methods are within the scope of thedisclosure.

FIG. 4 illustrates an example of operations performed by a portablesecure storage device, such as a storage device 110. The operationsshown in FIG. 4 are for illustration purposes, and other operations arewithin the scope of the disclosure. Below descriptions are providedwhile referring to FIGS. 1 through 4.

A memory (e.g., 232) of a storage device (e.g., 110) may be disposedwithin a housing (e.g., 111) and is configured to store data (e.g.,encrypted user data). An input device (e.g., 246) may be disposed at thehousing and is configured to receive a privileged security access codeand is configured to receive a restricted security access code.

The operations described in FIG. 4 may be performed by a controller of astorage device 110 (e.g., the controller 258, or one or more componentswithin the controller 258). In one aspect, the controller may performthe operations without communicating with a host (e.g., 120). In oneaspect, the controller 258 or its components may perform theinstructions stored in the memory 240. In one aspect, the host isseparate and distinct from the storage device. In one aspect, thestorage device may be connected to the host and may receive power fromthe host but does not send or receive any instructions, commands or datato or from the host in connection with the operations described belowwith reference to blocks 411 through 416 of FIG. 4. In one aspect, thestorage device is not recognizable by the host even if connected to thehost for these operations. In one example, the storage device isdisconnected from the host during some or all of these operations.

As illustrated in block 411 of FIG. 4, a controller (e.g., 258 or one ormore components therein) may be configured to determine whether astorage device (e.g., 110) is in an exclusive mode (e.g., 310B) or anonexclusive mode (e.g., 310A). As illustrated in block 412, thecontroller may determine whether the storage device is in a privilegedmode (e.g., 320), a locked mode (e.g., 330A or 330B) or a protected mode(e.g., 340A or 340B). As illustrated in block 413, the controller maydetermine that a request is made to self-transform the storage device toa renewed mode (e.g., 360). In one example, the blocks 411, 412 and 413may be performed sequentially from block 411 to block 413, in reverseorder, or in another order. In another example, some or all of theseblocks may be performed concurrently.

As illustrated in block 414, when the request is made and when thestorage device is in the privileged mode (e.g., 320), the controller mayself-transform the storage device to the renewed mode, regardless ofwhether the storage device is in the exclusive mode or the nonexclusivemode. This self-transformation may be performed in response to therequest (e.g., received via an input device 246).

As illustrated in block 415, when the request is made and when thestorage device is in the nonexclusive mode (e.g., 310A), the controllermay self-transform the storage device to the renewed mode (e.g., 360).This self-transformation may be performed in response to the request. Inone aspect, this self-transformation is performed when the storagedevice is in the locked mode (e.g., 330A) or the protected mode (e.g.,340A). This self-transformation may be performed without requiringcommunication with the host, without requiring a determination ofwhether the privileged security access code is verified, and withoutrequiring a determination of whether the restricted security access codeis verified.

As illustrated in block 416, when the request is made and when thestorage device is in the exclusive mode (e.g., 310B), the controller mayself-transform the storage device to the renewed mode (e.g., 360), onlywhen the privileged security access code is verified. In one aspect,this self-transformation is be performed when the storage device is inthe protected mode (e.g., 340B).

In one aspect, when the storage device is transformed into the renewedmode, all access codes in the storage device are nullified access codes,none of which is usable to verify any security access code received atthe input device (e.g., 246) while the storage device contains thenullified access codes.

In one aspect, when data is encrypted using an encryption key and storedin the memory (e.g., 232) prior to the storage device being transformedinto the renewed mode, and when the storage device is thereaftertransformed into the renewed mode, the storage device contains a newencryption key that is unusable for decrypting the data stored in thememory (e.g., 232) prior to the storage device being transformed intothe renewed mode.

In one aspect, when the storage device is in the privileged mode, theprivileged security access code is verified, and the storage device isconvertible between the exclusive mode and the nonexclusive mode.

In one aspect, when the storage device is in the locked mode, thestorage device is not recognizable by the host even if the storagedevice is connected to the host.

In one aspect, when the storage device is in the protected mode, thestorage device contains the new encryption key or another new encryptionkey, wherein such another new encryption key is unusable for decryptingdata encrypted and stored in the memory prior to the storage devicebeing in the protected mode.

In one aspect, the restricted security access code is different from theprivileged security access code.

In one aspect, the restricted security access code is unusable toconvert the storage device from the exclusive mode to the nonexclusivemode and from the nonexclusive mode to the exclusive mode.

In one aspect, when the storage device is in the exclusive mode, andwhen the privileged security access code is not verified, the controlleris prevented from transforming the storage device to the renewed mode,even if the restricted security access code is verified.

FIG. 5 illustrates an example of operations performed by a storagedevice, such as a storage device 110. The operations shown in FIG. 5 arefor illustration purposes, and other operations are within the scope ofthe disclosure. Below descriptions are provided while referring to FIGS.1 through 5.

A storage device (e.g., 110) may include a casing. A memory (e.g., 230)may be disposed within the casing and configured to store encrypteddata. An input device (e.g., 246) may be disposed at the casing,configured to receive a privileged security access code, and configuredto receive a restricted security access code. An output device (e.g.,244) may be disposed at the casing and configured to provide an output.

The operations described in FIG. 5 may be performed by a controller of astorage device 110 (e.g., the controller 258, or one or more componentswithin the controller 258). In one aspect, the controller 258 or itscomponents may perform the instructions stored in the memory 240. In oneaspect, the controller may perform the operations described in blocks511 through 514 of FIG. 5 without communicating with a host (e.g., 120).In one aspect, the host is separate and distinct from the storagedevice. In one example, the storage device may be connected to the hostand may receive power from the host but does not send or receive anyinstructions, commands or data to or from the host in connection withthe operations described below with reference to blocks 511 through 514of FIG. 5. In one aspect, the storage device is not recognizable by thehost even if connected to the host for these operations. In one example,the storage device is disconnected from the host during some or all ofthese operations.

A controller (e.g., the controller 258, or one or more components withinthe controller 258) may be disposed within the casing and coupled to theinput device. The controller is may be configured to cause: (a)unlocking the storage device based on the privileged security accesscode or the restricted security access code; and (b) locking the storagedevice based on a request, a status, an occurrence of a first event, oran omission of a second event.

The controller may be configured to cause (a) storing a privilegedaccess code in the controller and (b) storing a restricted access codein the controller. The controller may receive a first input via theinput device (e.g., 246). In one aspect, the operations described inthis paragraph are performed by the controller without communicatingwith the host.

As illustrated in block 511 of FIG. 5, the controller may be configuredto cause determining whether a request is made to self-convert thestorage device to a renewed mode (e.g., 360). The determination may bemade by the controller by itself in response to the first input. Theself-conversion may be carried out from a current mode to the renewedmode.

In one advantage example, the current mode is a privileged mode. Inanother advantage example, the current mode is a locked mode. In anotheradvantage example, the current mode is a protected mode.

As illustrated in block 512, the controller may be configured to causedetermining whether the storage device is in an exclusive mode (e.g.,310B) or a nonexclusive mode (e.g., 310A). In one aspect, the blocks 511and 512 may be performed sequentially from the block 511 to the block512 or in reverse order. In another aspect, these blocks may beperformed concurrently.

As illustrated in block 513, when the storage device is in the exclusivemode, and when the privileged security access code is verified, thecontroller may be configured to cause self-converting the storage deviceto the renewed mode. The privileged security access code may have beenreceived at the input device (e.g., 246) and may be verified against thestored privileged access code. The self-conversion may be carried outwhen the request is made. The self-conversion may be carried out fromthe current mode to the renewed mode. This self-conversion may beperformed without communicating with the host.

As illustrated in block 514, when the storage device is in thenonexclusive mode, the controller may be configured to causeself-converting the storage device to the renewed mode. Thisself-conversion may be carried out when the request is made. Thisself-conversion may be carried out from the current mode to the renewedmode. In addition, this self-conversion may be performed withoutcommunicating with the host, without requiring a determination ofwhether the privileged security access code is verified, and withoutrequiring a determination of whether the restricted security access codeis verified.

In one aspect, when the storage device is in the renewed mode, thestored privileged access code is a nullified privileged access code. Thenullified privileged access code is unusable to verify any privilegedsecurity access code or any security access code, which is received atthe input device while the storage device contains the nullifiedprivileged access code.

In one aspect, when data is encrypted using an encryption key and storedin the memory (e.g., 232) prior to the storage device being in therenewed mode, and when the storage device is thereafter in the renewedmode, the storage device contains a new encryption key. The newencryption key is unusable for decrypting the data stored in the memorybefore the new encryption key is set into the storage device.

In one aspect, the restricted security access code is different from theprivileged security access code. In one aspect, the restricted securityaccess code is usable to change a less number of configuration profilesof the storage device than the privileged security access code. In oneaspect, the restricted security access code is unusable to convert thestorage device from the exclusive mode to the nonexclusive mode and fromthe nonexclusive mode to the exclusive mode.

In one aspect, when the storage device is in the exclusive mode, andwhen the privileged security access code is not verified, the controlleris prevented from converting the storage device from the current mode tothe renewed mode even if the restricted security access code isverified.

In one aspect, when the storage device is in the renewed mode, allaccess codes in the storage device are nullified access codes, none ofwhich is usable to verify any security access code received at the inputdevice while the portable storage device contains the nullified accesscodes.

In one aspect, when the storage device is in the renewed mode with thenullified privileged access code and the new encryption key, acontroller (e.g., 258) may accept a request to create a new validprivileged access code. The request may be made, for example, bypressing one or more predetermined buttons associated with the requestat an input device (e.g., 246). When the controller accepts the request,a new privileged security access code is enterable (e.g., at an inputdevice 246). In the renew mode, the controller (e.g., 258) is configuredto enable receiving and processing a new privileged security access codeentered at an input device (e.g., 246) and storing the new privilegedsecurity access code as a new privileged access code in a memory (e.g.,240). In one aspect, this process of storing a new privileged accesscode is performed without verifying or authenticating the new privilegedsecurity access code or its source. This new privileged access code isvalid and is not null. When the controller contains the new privilegedaccess code, the storage device is no longer in the renewed mode. In oneaspect, the foregoing conversion may occur via a path (e.g., 328) fromthe renewed mode (e.g., 360) to a privileged mode (e.g., 320). When thecontroller contains the new privileged access code, the storage devicemay be considered to be in a privileged mode (e.g., 320). The newprivileged access code may be used to verify another privileged securityaccess code to be entered at an input device. This may be, for example,to unlock the storage device or to enter into another mode.

In one aspect, after the storage device exits the renewed mode, when asecond privileged security access code is inputted at the input device(e.g., 246) and verified against the new privileged access code, thestorage device (e.g., controller 258) may facilitate formatting a memory(e.g., 232).

In one aspect, after the storage device exits the renewed mode, when asecond privileged security access code is inputted at the input device(e.g., 246) and verified against the new privileged access code, thestorage device may enable (a) receiving and processing a new restrictedsecurity access code entered at the input device (e.g., 246) and (b)storing the new restricted security access code as a new restrictedaccess code. This new restricted access code is valid and is not null.The new restricted access code may be used to verify another restrictedsecurity access code to be entered at an input device. This may be, forexample, to unlock the storage device and enter into an operating mode.

In one or more implementations, a storage device 110 may be connected toor plugged into a host 120 (e.g., via a USB port or other methods) atvarious times. For example, a storage device 110 may be connected to orplugged into a host 120 prior to any of the operations shown in FIGS. 4and 5. However, merely plugging in the device 110 to the host 120 doesnot allow the device 110 to be recognized by the host 120. Even thoughthe device 110 does not require any special software or special driveron the host 120, the device 110 needs to perform certain operations byitself prior to the device 110 becomes recognizable by the host 120.This improves security of the device 110. The storage device 110 is notrecognizable or detectable by the host 120 until after a security accesscode (e.g., received at an input device 246) is verified by a controller258. In one aspect, the device 110 is not recognizable or detectable bythe host 120 until after an enumeration process between the device 110and the host 120 is initiated. In one or more aspects, an enumerationprocess does not commence until after a security access code is verifiedby a controller (e.g., 258) of the storage device. In one aspect, thedevice 110 is not recognizable or detectable by the host 120 until afteran enumeration process between the device 110 and the host 120 iscompleted. In one aspect, the device 110 is not recognizable ordetectable by the host 120 until after an encryption key is retrieved(e.g., from the memory 240) and is made available for encrypting userdata. When the device 110 is unlocked (e.g., as a result of, in responseto or after one or more operations described in this paragraph), thedevice is recognizable by the host 120.

In one or more aspects, enumeration may be a process of having a deviceattached or connected to or plugged into the host 120, such as thedevice 110, detected and identified. In one or more implementations,enumeration information may include a product identifier, a vendoridentifier, a device descriptor, a configuration description, and aninterface descriptor. In one example, enumeration information includesUSB enumeration information, which may include, for example, a USBproduct ID, USB vendor ID, USB device type, USB device class, USB devicespeed, USB device descriptor, etc. In one or more implementations,enumeration information is not settable or changeable by any user (e.g.,any privileged user or any restricted user). In one or moreimplementations, enumeration information is permanent informationdescribing a device.

After an enumeration process with the host 120 is completed, a componentof the controller 258 may notify the completion to other componentswithin the controller 258 and/or provide a completion signal to anoutput device 244. In one aspect, after the enumeration process iscompleted, the host 120 and the device 110 may be ready to exchange data(e.g., user data).

In one or more implementations, when an encryption key is stored in astorage device 110 (e.g., a controller 258, its component, or a memory240), the encryption key may be stored in various forms (e.g., a hashvalue, an encrypted value, a representation, or an exact copy thereof).In one example, an encryption key may refer to one or more encryptionkeys. In one example, when an encryption key is set to, or replaced by,a new encryption key, and if a storage device 110 contains more than oneencryption key, then all encryption keys in the storage device are setto, or replaced by new encryption keys. In one example, if a storagedevice 110 is described as containing a new encryption key, and thestorage device contains multiple encryption keys, then all encryptionkeys in the storage device are new encryption keys. In one aspect, anencryption key may refer to a form of encryption key (e.g., a hashvalue, an encrypted value, a representation, or an exact copy thereof).

In one or more implementations, when an access code (e.g., a privilegedaccess code, a restricted access code, a recovery access code, or aconcealed access code) is stored in the storage device 110 (e.g., acontroller 258 or a memory 240), the access code may be stored invarious forms (e.g., a hash value, an encrypted value, a representation,or an exact copy thereof). In one example, an access code may refer toone or more access codes. In one example, a nullified access code mayrefer to one or more nullified access codes. In one example, when astorage device contains a nullified access code, all access codes may benullified access codes.

In one aspect, data stored in the memory 232 is user data. In oneaspect, user data does not control any operation of a storage device110. In one aspect, user data does not instruct any controller (e.g.,258) of the storage device 110 to perform a function. In one aspect,user data does not include any access codes, any configuration profiles,settings, data or parameters, or any encryption key of the storagedevice. In one aspect, user data does not include any data inputted atan input device (e.g., 246) of the storage device 110. In one aspect,user data does not include any output produced at an output device(e.g., 244) of the storage device 110. In one aspect, user data isreceived from a host 120. In one aspect, user data is transferred to thememory 232 and retained in the memory 232 when power is off. In oneaspect, user data is not retained in the controller 258 when power isoff.

Additional descriptions and advantages are provided below with respectto an exclusive mode, a nonexclusive modes and a renewed mode.

In one aspect, an exclusive mode is a feature designed to preventredeployment of storage devices with unauthorized configuration profilesor settings. A storage device (e.g., 110) may include a physical inputdevice, a memory, and a controller and may include programmable settingsthat may be managed by a user. However, there may be configurationprofiles only available to a privileged user due to data security orother reasons. For example, such profiles may be set or changed onlywhen a privileged security access code is verified or only when astorage device is in a privileged mode. A controller (e.g., 258) may seta storage device to an exclusive mode or a nonexclusive mode or maychange an exclusive mode to a nonexclusive mode and vice versa. In oneaspect, this may occur while a storage device is in a privileged mode.In one aspect, this may be performed by the controller based on acontrol input and a determination of a privileged user. In oneadvantageous implementation, the control input may be received from aphysical input device (e.g., a keypad) of the storage device. Inalternative examples, the control input may be received from software orother means. When a storage device is in an exclusive mode, the abilityto reset and redeploy the storage device (with unauthorized settings orsettings that are against a company's security policy) is restricted.For example, such ability may be restricted to a privileged user andrequire authentication via a control signal (e.g., a privileged securityaccess code) to allow the storage device to accept new settings/profilesand operate normally. In alternative examples, this functionality may beconfigured so the storage device can be reset by a restricted user butonly to their default settings.

In one or more aspects, implementing an exclusive mode is advantageousas it may address various issues companies may experience with portablesecure storage devices.

One issue may be unauthorized users modifying a company's securitypolicy of storage devices. Implementing an exclusive mode would preventan unauthorized user from resetting and redeploying a portable securestorage device. This would prevent an unauthorized user from modifying acompany's existing device security policy that has been placed into thedevice by a privileged user. Such security policy may include, forexample, a privileged access code, a restricted access code, a minimumaccess code length, an auto-lock setting, a lock-override setting, andthe allowed number of unsuccessful security access code entry attempts.In one aspect, an unauthorized user may be a user who does not have thecorrect privileged security access code to the storage device.

Another issue may be the effectiveness of device whitelisting. When anexclusive mode is not implemented, once the unauthorized user has thephysical possession of a whitelisted storage device, he or she couldreset and redeploy the device, setup anew privileged access code andstart using the device as his or her own device on a company's securenetwork. When an exclusive mode is implemented on a storage device, thedevice cannot be reset and redeployed without the control signal (e.g.,a valid privileged security access code). This would prevent anunauthorized user, who does not have the control signal, from resettingand redeploying a whitelisted device and starting to use it withdifferent, unauthorized settings or settings that are against acompany's security policy. Implementing an exclusive mode would make thedevice whitelisting protection more effective.

In one or more aspects, the subject technology may be carried out, forexample, by one or more of the following:

A method comprising one or more methods or operations described herein.

An apparatus or a portable storage device comprising one or morememories or registers (e.g., 232, 240) and one or more processors (e.g.,258) coupled to the one or more memories, the one or more processorsconfigured to cause the apparatus to perform one or more methods oroperations described herein.

A hardware apparatus comprising circuits (e.g., 258, 246, 244)configured to perform one or more methods, operations, or portionsthereof described herein.

An apparatus or a portable storage device comprising means (e.g., 258,246, 244) adapted for performing one or more methods or operationsdescribed herein.

A computer-readable storage medium (e.g., 240, one or more memories, oneor more registers, and/or one or more media) comprising instructionsstored therein, the instructions comprising code for performing one ormore methods or operations described herein.

A computer-readable storage medium (e.g., 240, one or more memories, oneor more registers, and/or one or more media) storing instructions that,when executed by one or more processors (e.g., 258), cause one or moreprocessors to perform one or more methods, operations or portionsthereof described herein.

An apparatus or a portable storage device comprising means (e.g., 258,246, 244) for performing one or more operations described with referenceto FIGS. 3, 4, and/or 5 or one or more operations described herein.

While detailed description is provided above, one or more alternativeimplementations may utilize other modes, and one or more alternativeimplementations may utilize other modes, methods and paths to enter intoor exit from a mode, such as a renewed mode.

In one aspect, a method may be an operation, an instruction, or afunction and vice versa. In one aspect, a clause or a claim may beamended to include some or all of the words (e.g., instructions,operations, functions, or components) recited in one or more sentences,one or more phrases, one or more paragraphs, and/or one or more claims.A claim may have multiple dependencies based on any of the other claims.

An example of the present disclosure may be an article of manufacture inwhich a non-transitory machine-readable medium (such as microelectronicmemory, e.g., 240) has stored thereon instructions (e.g., in firmware)which program one or more data processing components (e.g., thecontroller 258, or a processor) to perform one or more operationsdescribed herein. In other examples, some of these operations may beperformed by specific hardware components that contain hardwired logic.Those operations may alternatively be performed by any combination ofprogrammed data processing components and fixed hardwired circuitcomponents.

In some cases, an example of the present disclosure may be an apparatus(e.g., a secure flash storage device) that includes one or more hardwareand firmware/software logic structure for performing one or more of theoperations described herein. For example, as described above, theapparatus may include a memory unit, which stores instructions that maybe executed by a hardware processor installed in the apparatus. Theapparatus may also include one or more other hardware or softwareelements, including a network interface, a display device, etc.

The term “machine-readable storage medium,” “computer readable medium”or “medium” may refer to any medium or media (e.g., 240) thatparticipate in providing instructions to a processor or controller(e.g., 258) for execution. Such a medium may take many forms, including,but not limited to, non-volatile media and volatile media. Non-volatilemedia include, for example, optical or magnetic disks, such as a datastorage unit. Volatile media include dynamic memory. To illustrate theinterchangeability of hardware, firmware and software, items such as thevarious illustrative blocks, modules, components, methods, operations,instructions, and algorithms have been described generally in terms oftheir functionality. Whether such functionality is implemented ashardware, firmware or software depends upon the particular applicationand design constraints imposed on the overall system. Skilled artisansmay implement the described functionality in varying ways for eachparticular application.

A reference to an element in the singular is not intended to mean oneand only one unless specifically so stated, but rather one or more. Forexample, “a” controller may refer to one or more controllers. An elementproceeded by “a,” “an,” “the,” or “said” does not, without furtherconstraints, preclude the existence of additional same elements.

Headings and subheadings, if any, are used for convenience only and donot limit the invention. The word exemplary is used to mean serving asan example or illustration. To the extent that the term include, have,contain or the like is used, such term is intended to be inclusive in amanner similar to the term comprise as comprise is interpreted whenemployed as a transitional word in a claim. Relational terms such asfirst and second and the like may be used to distinguish one entity oraction from another without necessarily requiring or implying any actualsuch relationship or order between such entities or actions. The termcoupling, connecting, or the like is intended to include direct andindirect coupling and direct and indirect connecting. The term coupled,connected, or the like is intended to include directly and indirectlycoupled and directly and indirectly connected.

Phrases such as an aspect, the aspect, another aspect, some aspects, oneor more aspects, an implementation, the implementation, anotherimplementation, some implementations, one or more implementations, anembodiment, the embodiment, another embodiment, some embodiments, one ormore embodiments, a configuration, the configuration, anotherconfiguration, some configurations, one or more configurations, thesubject technology, the disclosure, the present disclosure, othervariations thereof and alike are for convenience and do not imply that adisclosure relating to such phrase(s) is essential to the subjecttechnology or that such disclosure applies to all configurations of thesubject technology. A disclosure relating to such phrase(s) may apply toall configurations, or one or more configurations. A disclosure relatingto such phrase(s) may provide one or more examples. A phrase such as anaspect or some aspects may refer to one or more aspects and vice versa,and this applies similarly to other foregoing phrases.

A phrase “at least one of” preceding a series of items, with the terms“and” or “or” to separate any of the items, modifies the list as awhole, rather than each member of the list. The phrase “at least one of”does not require selection of at least one item; rather, the phraseallows a meaning that includes at least one of any one of the items,and/or at least one of any combination of the items, and/or at least oneof each of the items. By way of example, each of the phrases “at leastone of A, B, and C” or “at least one of A, B, or C” refers to only A,only B, or only C; any combination of A, B, and C; and/or at least oneof each of A, B, and C.

It is understood that the specific order or hierarchy of steps,operations, or processes disclosed is an illustration of exemplaryapproaches. Unless explicitly stated otherwise, it is understood thatthe specific order or hierarchy of steps, operations, or processes maybe performed in different order. Some of the steps, operations, orprocesses may be performed simultaneously. The accompanying methodclaims, if any, present elements of the various steps, operations orprocesses in a sample order, and are not meant to be limited to thespecific order or hierarchy presented. Unless explicitly statedotherwise, these may be performed in serial, linearly, in parallel or indifferent order. It should be understood that the describedinstructions, operations, and systems can generally be integratedtogether in a single software/hardware product or packaged into multiplesoftware/hardware products.

The disclosure is provided to enable any person skilled in the art topractice the various aspects described herein. In some instances,well-known structures and components are shown in block diagram form inorder to avoid obscuring the concepts of the subject technology. Thedisclosure provides various examples of the subject technology, and thesubject technology is not limited to these examples. Variousmodifications to these aspects will be readily apparent to those skilledin the art, and the principles described herein may be applied to otheraspects.

All structural and functional equivalents to the elements of the variousaspects described throughout the disclosure that are known or later cometo be known to those of ordinary skill in the art are expresslyincorporated herein by reference and are intended to be encompassed bythe claims. Moreover, nothing disclosed herein is intended to bededicated to the public regardless of whether such disclosure isexplicitly recited in the claims. No claim element is to be construedunder the provisions of 35 U.S.C. § 112, sixth paragraph, unless theelement is expressly recited using a phrase means for or, in the case ofa method claim, the element is recited using the phrase step for.

The entire content of U.S. patent application Ser. No. 15/286,465 isincorporated herein by reference.

The title, background, brief description of the drawings, abstract, anddrawings are hereby incorporated into the disclosure and are provided asillustrative examples of the disclosure, not as restrictivedescriptions. It is submitted with the understanding that they will notbe used to limit the scope or meaning of the claims. In addition, in thedetailed description, it can be seen that the description providesillustrative examples and the various features are grouped together invarious implementations for the purpose of streamlining the disclosure.The method of disclosure is not to be interpreted as reflecting anintention that the claimed subject matter requires more features thanare expressly recited in each claim. Rather, as the following claimsreflect, inventive subject matter lies in less than all features of asingle disclosed configuration or operation. The following claims arehereby incorporated into the detailed description, with each claimstanding on its own as a separately claimed subject matter.

The claims are not intended to be limited to the aspects describedherein, but are to be accorded the full scope consistent with thelanguage claims and to encompass all legal equivalents. Notwithstanding,none of the claims are intended to embrace subject matter that fails tosatisfy the requirements of the applicable patent law, nor should theybe interpreted in such a way.

What is claimed is:
 1. A portable secure storage device that isself-convertible from a current mode to a renewed mode, comprising: acasing; a memory disposed within the casing and configured to storeencrypted information; an input device disposed at the casing,configured to receive a privileged security access code, and configuredto receive a restricted security access code; an output device disposedat the casing and configured to provide an output; a controller disposedwithin the casing and coupled to the input device, wherein thecontroller is configured to cause: unlocking the portable secure storagedevice based on the privileged security access code or the restrictedsecurity access code; and locking the portable secure storage devicebased on a request, a status, an occurrence of a first event, or anomission of a second event; wherein the controller is configured tocause: storing a privileged access code in the controller; storing arestricted access code in the controller; receiving a first input viathe input device; in response to the first input, self-determining,without communicating with a host, whether a request is made toself-convert the portable secure storage device from the current mode tothe renewed mode, wherein the host is separate and distinct from theportable secure storage device; self-determining, without communicatingwith the host, whether the portable secure storage device is in anexclusive mode or a nonexclusive mode; when the request is made, whenthe portable secure storage device is in the exclusive mode, and whenthe privileged security access code received at the input device isverified against the stored privileged access code: self-converting,without communicating with the host, the portable secure storage devicefrom the current mode to the renewed mode; and when the request is madeand when the portable secure storage device is in the nonexclusive mode:without communicating with the host, without requiring a determinationof whether the privileged security access code is verified, and withoutrequiring a determination of whether the restricted security access codeis verified, self-converting the portable secure storage device from thecurrent mode to the renewed mode, and wherein: when the portable securestorage device is in the renewed mode, the stored privileged access codeis a nullified privileged access code, wherein the nullified privilegedaccess code is unusable to verify any security access code, which isreceived at the input device while the portable secure storage devicecontains the nullified privileged access code, when data is encryptedusing an encryption key and stored prior to the portable secure storagedevice being in the renewed mode, and when the portable secure storagedevice is in the renewed mode, the portable secure storage devicecontains a new encryption key that is unusable for decrypting the dataencrypted using the encryption key, the restricted security access codeis different from the privileged security access code, the restrictedsecurity access code is usable to change a less number of configurationprofiles of the portable secure storage device than the privilegedsecurity access code, the restricted security access code is unusable toconvert the portable secure storage device from the exclusive mode tothe nonexclusive mode and from the nonexclusive mode to the exclusivemode, and when the portable secure storage device is in the exclusivemode, and when the privileged security access code is not verified, thecontroller is prevented from converting the portable secure storagedevice from the current mode to the renewed mode even if the restrictedsecurity access code is verified.
 2. The portable secure storage deviceof claim 1, wherein when the portable secure storage device is in therenewed mode: all access codes in the portable secure storage device arenullified access codes, wherein at least a portion of each of thenullified access codes is not representable by any input enterable atthe input device, none of the nullified access codes is usable to verifyany security access code received at the input device while the portablesecure storage device contains the nullified access codes, none of thenullified access codes contains all zeros, and the all access codesinclude the stored privileged access code and the stored restrictedaccess code; and all configuration profiles of the portable securestorage device, excluding the all access codes, have predeterminedvalues.
 3. The portable secure storage device of claim 1, whereinself-converting the portable secure storage device from the current modeto the renewed mode comprises: without communicating with the host,setting the stored privileged access code into the nullified privilegedaccess code.
 4. The portable secure storage device of claim 3, whereinself-converting the portable secure storage device from the current modeto the renewed mode comprises: without communicating with the host,setting the stored restricted access code into a nullified restrictedaccess code; and without communicating with the host, setting theencryption key in the portable secure storage device into the newencryption key.
 5. The portable secure storage device of claim 4,wherein self-converting the portable secure storage device from thecurrent mode to the renewed mode comprises: setting all configurationprofiles of the portable secure storage device, excluding the nullifiedprivileged access code and the nullified restricted access code, topredetermined values.
 6. The portable secure storage device of claim 1,wherein the controller is configured to cause: prior to the request ismade, determining that a second request is made to self-convert theportable secure storage device from a previous mode to the current mode,wherein the current mode is a privileged mode; verifying the privilegedsecurity access code against the stored privileged access code; andself-converting the previous mode to the privileged mode, wherein whenthe portable secure storage device is in the privileged mode, theportable secure storage device is convertible between the exclusive modeand the nonexclusive mode, wherein when the portable secure storagedevice is not in the privileged mode, the portable secure storage deviceis prevented from converting between the exclusive mode and thenonexclusive mode, and wherein after determining that the request ismade to self-convert the portable secure storage device from theprivileged mode to the renewed mode, the controller is configured tocause self-converting the portable secure storage device from theprivileged mode to the renewed mode.
 7. The portable secure storagedevice of claim 1, wherein the current mode is a locked mode, andwherein when the portable secure storage device is in the locked mode,the portable secure storage device is not recognizable by the host evenif the portable secure storage device is plugged into the host.
 8. Theportable secure storage device of claim 7, wherein the portable securestorage device is configured to enter into the locked mode when one ormore of the following occur: the input device receives a second requestto lock the portable secure storage device; power from the host to theportable secure storage device is interrupted; the portable securestorage device is unplugged from the host; the portable secure storagedevice is electrically disengaged from the host in response to a thirdrequest; the portable secure storage device idles for a period of time;or the portable secure storage device is not plugged into the hostwithin a period of time after a security access code received at theinput device is verified.
 9. The portable secure storage device of claim1, wherein the current mode is a protected mode, and wherein when theportable secure storage device is in the protected mode, the portablesecure storage device contains the new encryption key or another newencryption key, wherein the another new encryption key is unusable fordecrypting data encrypted and stored in the memory prior to the portablesecure storage device being in the protected mode.
 10. The portablesecure storage device of claim 9, wherein while not in the protectedmode, the controller is configured to store the privileged access codeas at least two representations at different locations of thecontroller, wherein when the portable secure storage device is in theprotected mode: all access codes in the portable secure storage device,except one of the at least two representations, are nullified accesscodes, wherein the one of the at least two representations is usable toverify the privileged security access code received at the input device;and all configuration profiles of the portable secure storage device,excluding the all access codes, have predetermined values, and whereinwhen the portable secure storage device converts from the protected modeto the renewed mode, the one of the at least two representations isnullified.
 11. The portable secure storage device of claim 10, whereinwhen the current mode is the protected mode, when the request is made,when the portable secure storage device is in the exclusive mode, andwhen the privileged security access code received at the input device isverified against the one of the at least two representations, thecontroller is configured to convert the portable secure storage devicefrom the protected mode to the renewed mode.
 12. The portable securestorage device of claim 9, wherein when a count of unsuccessful securityaccess codes entered into the input device exceeds a threshold number,the portable secure storage device is configured to enter into theprotected mode.
 13. The portable secure storage device of claim 1,wherein when the portable secure storage device is in the renewed modewith the nullified privileged access code and the new encryption key,the controller is configured to accept a request to create a newprivileged access code, and the controller is configured to enableprocessing a new privileged security access code entered at the inputdevice and storing the new privileged security access code as the newprivileged access code, and wherein when the controller contains the newprivileged access code, the portable secure storage device is no longerin the renewed mode.
 14. The portable secure storage device of claim 13,wherein when a second privileged security access code is inputted at theinput device and verified against the new privileged access code, theportable secure storage device is configured to facilitate formattingthe memory.
 15. The portable secure storage device of claim 13, whereinwhen a second privileged security access code is inputted at the inputdevice and verified against the new privileged access code, the portablesecure storage device is configured to enable processing a newrestricted security access code entered at the input device and storingthe new restricted security access code as a new restricted access code.16. The portable secure storage device of claim 1, wherein when theportable secure storage device is in the exclusive mode, a concealedmode is disabled, and wherein when the portable secure storage device isin the nonexclusive mode, when the concealed mode is enabled, and when aconcealed security access code inputted at the input device is verified:the controller is configured to set an encryption key in the portablesecure storage device into the new encryption key or another newencryption key, wherein the another new encryption key is unusable fordecrypting data encrypted and stored in the memory before the anothernew encryption key is set into the portable secure storage device; andthe controller is configured to store the concealed security access codeinto the portable secure storage device as a new privileged access code,wherein the new privileged access code is usable to verify anotherprivileged security access code entered after the new privileged accesscode is stored.
 17. The portable secure storage device of claim 1,wherein the first input comprises multiple inputs, and wherein prior tothe request is made, when a second request is made to enter into anoperating mode different from the renewed mode, and the restrictedsecurity access code or the privileged security access code is verified,the portable secure storage device is configured to cause unlocking theportable secure storage device and is configured to cause, when a readrequest from the host is received, decrypting the data encrypted andproviding the decrypted data to the host.
 18. A portable storage devicethat is self-transformable to a renewed mode, comprising: a housing; amemory disposed within the housing and configured to store information;an input device disposed at the housing and configured to receive afirst security access code, and configured to receive a second securityaccess code; a controller disposed within the housing and coupled to theinput device, wherein the controller is configured to cause:determining, without communicating with a host, that a request is madeto self-transform the portable storage device to the renewed mode,wherein the host is separate and distinct from the portable storagedevice; determining, without communicating with the host, whether theportable storage device is in an exclusive mode or a nonexclusive mode;when the portable storage device is in the exclusive mode, and only whenthe first security access code is verified: self-transforming, withoutcommunicating with the host, the portable storage device to the renewedmode; and when the portable storage device is in the nonexclusive mode:without requiring communication with the host, without requiringverification of the first security access code, and without requiringverification of the second security access code, self-transforming theportable storage device to the renewed mode, and wherein: when theportable storage device is in the renewed mode, all access codes in theportable storage device are nullified access codes, none of which isusable to verify any security access code received at the input devicewhile the portable storage device contains the nullified access codes,when the portable storage device is in the renewed mode, the portablestorage device contains a new encryption key that is unusable fordecrypting data encrypted and stored in the memory prior to the newencryption key is set in the portable storage device, the secondsecurity access code is different from the first security access code,the second security access code is unusable to convert the portablestorage device from the exclusive mode to the nonexclusive mode and fromthe nonexclusive mode to the exclusive mode, and when the portablestorage device is in the exclusive mode, and when the first securityaccess code is not verified, the controller is prevented fromtransforming the portable storage device to the renewed mode even if thesecond security access code is verified.
 19. A storage device that isself-transformable to a renewed mode, comprising: a housing; a memorydisposed within the housing and configured to store information; aninput device disposed at the housing and configured to receive aprivileged security access code, and configured to receive a restrictedsecurity access code; a controller disposed within the housing andcoupled to the input device, wherein the controller is configured tocause: determining, without communicating with a host, whether thestorage device is in an exclusive mode or a nonexclusive mode;determining, without communicating with the host, whether the storagedevice is in a privileged mode, a locked mode or a protected mode;determining, without communicating with the host, whether a request ismade to self-transform the storage device to the renewed mode; when therequest is made, and the storage device is in the privileged mode,self-transforming, without communicating with the host, the storagedevice to the renewed mode, regardless of whether the storage device isin the exclusive mode or the nonexclusive mode; when the request ismade, when the storage device is in the locked mode or the protectedmode, and when the storage device is in the nonexclusive mode: withoutrequiring communication with the host, without requiring a determinationof whether the privileged security access code is verified, and withoutrequiring a determination of whether the restricted security access codeis verified, self-transforming the storage device to the renewed mode;and when the request is made, and when the storage device is in theprotected mode and in the exclusive mode: self-transforming, withoutcommunicating with the host, the storage device to the renewed mode,only when the privileged security access code is verified, and wherein:when the storage device is transformed into the renewed mode, all accesscodes in the storage device are nullified access codes, none of which isusable to verify any security access code received at the input devicewhile the storage device contains the nullified access codes, when datais encrypted using an encryption key and stored in the memory prior tothe storage device being transformed into the renewed mode, and when thestorage device is transformed into the renewed mode, the storage devicecontains a new encryption key that is unusable for decrypting the datastored in the memory prior to the storage device being transformed intothe renewed mode, when the storage device is in the privileged mode, theprivileged security access code is verified, and the storage device isconvertible between the exclusive mode and the nonexclusive mode, whenthe storage device is in the locked mode, the storage device is notrecognizable by the host even if the storage device is connected to thehost, when the storage device is in the protected mode, the storagedevice contains the new encryption key or another new encryption key,wherein the another new encryption key is unusable for decrypting dataencrypted and stored in the memory prior to the storage device being inthe protected mode, the restricted security access code is differentfrom the privileged security access code, the restricted security accesscode is unusable to convert the storage device from the exclusive modeto the nonexclusive mode and from the nonexclusive mode to the exclusivemode, and when the storage device is in the exclusive mode, and when theprivileged security access code is not verified, the controller isprevented from transforming the storage device to the renewed mode evenif the restricted security access code is verified.
 20. The storagedevice of claim 19, wherein the nullified access codes are not all zerosand are not predetermined values, and wherein when the storage device istransformed into the renewed mode, all configuration profiles of thestorage device, excluding the all access codes, have predeterminedvalues.